In March, New York state’s Department of Financial Services established a cybersecurity regulation for banks and insurance companies that was expected to have national and global impact. Months later, the National Association of Insurance Commissioners adopted a data security model law similar to New York’s.
In late October, the NAIC, the standard-setting organization governed by chief insurance regulators from all 50 states, the District of Columbia and five U.S. territories, adopted the Insurance Data Security Model Law, which includes provisions for investigating data security breaches.
“Considering the recent series of data breaches, cybersecurity is more important now than ever,” said Ted Nickel, NAIC president and Wisconsin insurance commissioner at the time, in a statement. “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”
For New York, the cybersecurity regulations have already been in place for months. In late August, the 180-day grace period for the DFS cybersecurity regulation expired, creating a watershed moment for insurers and the financial institutions doing business in New York. Under DFS’s groundbreaking regulation, entities the agency regulates would have to have state-approved plans to deter cyberattacks, and report any attacks within 72 hours of when they occur.
A reporter spoke with DFS Superintendent Maria Vullo about New York’s cybersecurity regulation and what role it has played in the NAICs adoption of the model law. Questions and answers have been edited for clarity and brevity.
Q: What role, if any, did DFS play in the NAIC’s adoption of the data security model law?
Vullo: It’s not a coincidence that the NAIC came out with a model a few months ago and that that model is almost exactly the same language as our regulation. We were, and I was, instrumental in moving the NAIC in this direction. I’ve made a point of, since I arrived at this job, of really working through the NAIC and working with fellow commissioners in other states.
The NAIC had a task force on a model cybersecurity law for years that was going back-and-forth and had not led to anything close to being final. We finalized our cybersecurity regulation in February of 2017 and it became effective March 1. At the NAIC national meeting in April, I presented on what we had done in New York and urged that they consider adopting it. I maybe even said “mimicry is the best form of flattery. I have no problem with you plagiarizing.”
The person who had been the head of the task force at the NAIC had left, and so two new commissioners from South Carolina and Rhode Island ran the task force. My staff and I worked closely with them. The NAIC model is extremely close, and is pretty much verbatim in many, many places. It even includes a footnote that says compliance with the New York reg is compliance with the law.